Identity-Based Outsider Anonymous Broadcast Encryption with Simultaneous Individual Messaging

Abstract

Broadcast encryption (BE) is an effective method to broadcast encrypted confidential content, although it does not support the transmission of personalized messages to individuals. Broadcast encryption with personalized messages (BEPM) simultaneously transmits not only the common encrypted message to a group of users but also encrypted personalized messages to individual users. Currently available BEPM schemes fail to provide the recipient’s anonymity that means the information of the subscriber set is available to the enemies. This paper first introduces a new BEPM paradigm, called identity-based outsider anonymous broadcast encryption with personalized messages (IB-OAnoBEPM), by tweaking the identity-based framework over the most advanced and secure asymmetric Type-3 variant of the bilinear maps. In addition to being adaptively secure, our construction withstands indistinguishable chosen-plaintext attack under the standard asymmetric decisional bilinear Diffie-Hellman exponent assumption without using the random oracle model. More positively, the proposed scheme is the first BEPM system that achieves security without any non-standard q-type assumptions. In particular, our design is very efficient both in terms of communication and computation costs, as the ciphertext size is constant, and the decryption algorithm requires only three asymmetric bilinear pairings to recover the correct message and the personalized messages, which are highly desirable for light-weight devices.

Appendices

Appendix

A Proof of Theorem 1

Proof

Assume that there exists a \({\textsf {PPT}}\) adversary \(\mathcal {A}\) in the ciphertext indistinguishability with receiver anonymity game that makes at most polynomial number of user secret-key queries, say \(q=\textsf {poly}(\eta )\), against our \(\varPi _{\textsf {IB-OAnoBEPM}}\) scheme. We can construct a simulator \(\mathcal {B}\) that breaks the asymmetric \(\textsf {DBDHE}\) assumption (cf. Definition 2) using \(\mathcal {A}\) as a subroutine. Here \(\mathcal {B}\) works as the \(\varPi _{\textsf {IB-OAnoBEPM}}\) challenger in the adaptive \(\textsf {IND-CPA}\) secure ciphertext indistinguishability with receiver anonymity game. At the beginning of the game, \(\mathcal {B}\) obtains the \(\textsf {DBDHE}\) challenge instance \(\big <Z\) \(=\) \((\mathbb {BG},\) \(\widetilde{P},\) \(\widetilde{P}^{\alpha },\) \(\ldots ,\) \(\widetilde{P}^{{\alpha }^{m}},\) \(\widetilde{P}^{{\alpha }^{m+2}},\) \(\ldots ,\) \(\widetilde{P}^{{\alpha }^{2m}},\) P,  \(P^{\alpha },\) \(\ldots ,\) \(P^{{\alpha }^{m}},\) \(P^{c}),\) \(K\big>\) to decide whether K is \(e(P,\widetilde{P})^{\alpha ^{m+1}\cdot c}\) or a random element X from the target group \(\mathbb {G}_{T}^{\times }\), where \(\alpha , c \in _R \mathbb {Z}^{*}_p\), \(\mathbb {BG}=(p,\mathbb {G}^{\times },\widetilde{\mathbb {G}}^{\times },\mathbb {G}_{T}^{\times },e\)) and P, \(\widetilde{P}\) random generators of \(\mathbb {G}^{\times }\) and \(\widetilde{\mathbb {G}}^{\times }\) respectively. The simulator \(\mathcal {B}\) proceeds as follows.

• Setup: Initially, \(\mathcal {B}\) sets an integer \(m=4q\) and randomly chooses another integers \(k_{j}\in \{0,1,\ldots ,N\}\) and \(x_{j}\in \{0,1,\ldots ,m-1\}\), where \(1\le j \le N\). It also randomly selects \(y^{'},a \in \mathbb {Z}_{p}^{*}\). Thereafter, for a user \(j\in [N]\) with \(ID_{j}\in \mathbb {Z}_{p}^{*}\), \(\mathcal {B}\) defines the following functions.

  $$\begin{aligned} \mathcal {F}(ID_{j})= & {} (p-mk_{j})+x^{'}+x_{j}+ID_{j},~~~ \mathcal {J}(ID_{j}) = y^{'}+ID_{j}~ \text {and}\\ \mathcal {Q}(ID_{j})= & {} \left. {\left\{ \begin{array}{ll} 0,~~\text {if}~~x_{j}+ID_{j} \equiv 0~(\bmod {~m})\\ 1,~~\text {otherwise} \end{array}\right. } \right\} \end{aligned}$$

  To publish the master public-key \(\textsf {OAnoMPK}\), \(\mathcal {B}\) chooses a collusion-resistant cryptographic hash function \(H:\{0,1\}^{l}\rightarrow \mathbb {Z}_{p}^{*}\). It computes the group elements \(\widetilde{P}_{1}=\widetilde{P}^{\alpha }\), \(\widetilde{P}_{2}=\widetilde{P}^{\alpha ^{N}+a}\), \(P_{2}=P^{\alpha ^{N}+a}\), \(\big \{\widetilde{Y}_{i}=\widetilde{P}^{\alpha ^{i}}\big \}_{i=1,i\ne N+1}^{2N}\), \(\big \{Y_{i}=P^{\alpha ^{i}}\big \}_{i=1}^{N}\) utilizing the \(\textsf {DBDHE}\) challenge instance \(\big <Z,K\big>\).

     Finally, it sets the components \(U_{j}=P\cdot Y_{N-j+1},\) \(\widetilde{U}_{j}=\widetilde{P}\cdot \widetilde{Y}_{N-j+1},\) \(\widetilde{f}_{j}=\widetilde{P}^{y^{'}}\cdot \widetilde{Y}^{p-mk_{j}+x_{j}}_{N-j+1},\) \({f}_{j}={P}^{y^{'}}\cdot \widetilde{Y}^{p-mk_{j}+x_{j}}_{N-j+1},\) \(\varOmega =e(P_{2},\widetilde{P}_{1})\) and publishes the simulated master public-key \({\textsf {OAnoMPK}}\) \(=\) (P,  \(\widetilde{P},\) \(\widetilde{P}_{1},\) \(\widetilde{P}_{2},\) \(P_{2},\) \(\{f_{j}\}_{j=1}^{N},\) \(\{U_{j}\}_{j=1}^{N},\) \(\varOmega ,\) H). It also sets the simulated master secret-key as \({\textsf {OAnoMSK}}\) \(=\) (\({\widetilde{P}_{2}}^{\alpha },\) \(\{\widetilde{f}_{j}\}_{j=1}^{N},\) \(\{\widetilde{U}_{j}\}_{j=1}^{N}\)) and keeps secret to itself.

• Phase 1: Now, \(\mathcal {A}\) adaptively issues polynomially many, say \(q=\textsf {poly}(\eta )\), users secret-key queries. The adversary \(\mathcal {A}\) sends an identity \(id_{u} \in \{0,1\}^{l}\) of user \(u\in [N]\) to \(\mathcal {B}\). To return a valid secret-key, \(\mathcal {B}\) computes \(ID_{i}=H(id_{i})\in \mathbb {Z}^{*}_{p}\) for \(1\le i \le N\), and does the following.

  • If \(\mathcal {Q}(ID_{u})=0\), \(\mathcal {B}\) aborts the game and randomly chooses a random bit from \(\{0,1\}\) to solve the asymmetric \(\textsf {DBDHE}\) problem.

  • Otherwise, \(\mathcal {B}\) randomly chooses an exponent \(r\in \mathbb {Z}_{p}^{*}\) and sets \(d_{u,0}={\widetilde{P}}^{r}\cdot \widetilde{Y}_{u}^{-\frac{1}{\mathcal {F}(ID_{u})}}\), \(d_{u,u}={\widetilde{P}_{1}}^{a}\cdot \widetilde{Y}_{u}^{-\frac{\mathcal {J}(ID_{u})}{\mathcal {F}(ID_{u})}}(\widetilde{f}_{u}\cdot \widetilde{U}_{u}^{ID_{u}})^{r}\), \(d_{u,N}=(\widetilde{P}_{2})^{ID_{u}}\) and \(d_{u,j}=(\widetilde{f}_{j}\cdot \widetilde{U}_{j}^{ID_{j}})^{r}\cdot \widetilde{Y}_{u}^{-\frac{\mathcal {J}(ID_{j})}{\mathcal {F}(ID_{u})}}\cdot \widetilde{Y}_{N-j+1+u}^{-\frac{\mathcal {F}(ID_{j})}{\mathcal {F}(ID_{u})}},~\text {for}~1\le j\ne u \le N\).

  • Finally, \(\mathcal {B}\) returns the secret-key \({\textsf {OAnoSK}_{u}}\) \(=\) (\(d_{u,0},d_{u,u},d_{u,N+1},\{d_{u,j}:1\le j\ne u \le N\}\)) to the adversary \(\mathcal {A}\).

  Observe that the components of \({\textsf {OAnoSK}_{u}}\) are valid secret-key components as that of in the original protocol. Assume that \(\widehat{r}=r-\frac{\alpha ^{u}}{\mathcal {F}(ID_{u})}\), then

  $$\begin{aligned} d_{u,0}=&{\widetilde{P}}^{r}\cdot \widetilde{Y}_{u}^{-\frac{1}{\mathcal {F}(ID_{u})}}= \widetilde{P}^{r-\frac{\alpha ^{u}}{\mathcal {F}(ID_{u})}}=(\widetilde{P})^{\widehat{r}},~d_{u,N}=(\widetilde{P}_{2})^{ID_{u}}\\ d_{u,u}=&{\widetilde{P}_{1}}^{a}\cdot \widetilde{Y}_{u}^{-\frac{\mathcal {J}(ID_{u})}{\mathcal {F}(ID_{u})}}(\widetilde{f}_{u}\cdot \widetilde{U}_{u}^{ID_{u}})^{r}= \widetilde{P}^{a\alpha -\frac{\alpha ^{u}\mathcal {J}(ID_{u})}{\mathcal {F}(ID_{u})}} \cdot \widetilde{P}^{\alpha ^{N+1}-\alpha ^{N+1}} \cdot (\widetilde{f}_{u}\cdot \widetilde{U}_{u}^{ID_{u}})^{r}\\ =&\widetilde{P}^{a\alpha }\cdot \widetilde{P}^{\alpha ^{N+1}} \cdot \widetilde{P}^{-\frac{\alpha ^{u}\mathcal {J}(ID_{u})}{\mathcal {F}(ID_{u})}-\alpha ^{N+1}\frac{\mathcal {F}(ID_{u})}{\mathcal {F}(ID_{u})}} \cdot (\widetilde{f}_{u}\cdot \widetilde{U}_{u}^{ID_{u}})^{r}\\ =&\widetilde{P}^{(a\alpha +\alpha ^{N+1})}\big (\widetilde{P}^{\alpha ^{N-u+1}\mathcal {F}(ID_{u})} \cdot \widetilde{P}^{\mathcal {J}(ID_{u})}\big )^{-\frac{\alpha ^{u}}{\mathcal {F}(ID_{u})}} \cdot (\widetilde{f}_{u}\cdot \widetilde{U}_{u}^{ID_{u}})^{r}\\ =&\widetilde{P}_{2}^{\alpha }\big (\widetilde{P}^{\alpha ^{N-u+1}(p-mk_{u}+x_{u}+ID_{u})+y^{'} +ID_{u}}\big )^{-\frac{\alpha ^{u}}{\mathcal {F}(ID_{u})}} \cdot (\widetilde{f}_{u}\cdot \widetilde{U}_{u}^{ID_{u}})^{r}\\ =&\widetilde{P}_{2}^{\alpha }\big (\widetilde{f}_{u}\cdot \widetilde{U}_{u}^{ID_{u}}\big )^{r-\frac{\alpha ^{u}}{\mathcal {F}(ID_{u})}}=\widetilde{P}_{2}^{\alpha }\big (\widetilde{f}_{u}\cdot \widetilde{U}_{u}^{ID_{u}}\big )^{\widehat{r}}\\ d_{u,j}=&(\widetilde{f}_{j}\cdot \widetilde{U}_{j}^{ID_{j}})^{r}\cdot \widetilde{Y}_{u}^{-\frac{\mathcal {J}(ID_{j})}{\mathcal {F}(ID_{u})}}\cdot \widetilde{Y}_{N-j+1+u}^{-\frac{\mathcal {F}(ID_{j})}{\mathcal {F}(ID_{u})}}\\ =&(\widetilde{f}_{j}\cdot \widetilde{U}_{j}^{ID_{j}})^{r} \cdot \widetilde{P}^{-\frac{\alpha ^{u}\mathcal {J}(ID_{j})}{\mathcal {F}(ID_{u})}-\frac{\alpha ^{(N-j+1+u)} \mathcal {F}(ID_{j})}{\mathcal {F}(ID_{u})}}\\ =&(\widetilde{f}_{j}\cdot \widetilde{U}_{j}^{ID_{j}})^{r}\cdot \big (\widetilde{P}^{y^{'}+\alpha ^{N-j+1}(p-mk_{j}+x_{j})+ID_{j}+ID_{j}\alpha ^{N-j+1}}\big )^{-\frac{\alpha ^{u}}{\mathcal {F}(ID_{u})}}\\ =&(\widetilde{f}_{j}\cdot \widetilde{U}_{j}^{ID_{j}})^{r-\frac{\alpha ^{u}}{\mathcal {F}(ID_{u})}}=(\widetilde{f}_{j}\cdot \widetilde{U}_{j}^{ID_{j}})^{\widehat{r}} \end{aligned}$$

  The simulator \(\mathcal {B}\) can perform the above computations if and only if \(\mathcal {F}(ID_{u})\ne 0 (\bmod {~p})\). More precisely, only \(\mathcal {Q}(ID_{u})\ne 0\) is sufficient to continue the above computations, since \(\mathcal {Q}(ID_{u})\ne 0\) implies \(\mathcal {F}(ID_{u})\ne 0 (\bmod {~p})\).

• Challenge: Now, \(\mathcal {A}\) submits two equal length messages \(M_{0},M_{1}\) and two receiver’s sets \(\mathcal {S}_{0}\), \(\mathcal {S}_{1}\) each contains \(L=\textsf {poly}(\eta )\) users’ identity subject to the restriction that for all \(id_{u}\) of secret key queries in Phase 1, \(ID_{u}=H(id_{u})\in \mathcal {S}_{0}\cap \mathcal {S}_{1}\). Assume that the challenge set is of the form \(\mathcal {S}_{\varkappa }=\big \{ID_{\varkappa ,i}\big \}_{i=1}^{L}\) for \(\varkappa \in \{0,1\}\). Now, \(\mathcal {B}\) aborts the game and chooses a random bit from \(\{0,1\}\) if \(\sum _{ID_{\varkappa ,j}\in \mathcal {S}_{\varkappa }} \alpha ^{N-j+1}(p-mk_{j}+x_{j}+ID_{\varkappa ,j}) \ne 0 (\bmod {~p})\) holds. Finally, \(\mathcal {B}\) chooses \(\zeta ,\varkappa \in _{R}\{0,1\}\) and computes the cophertext components for the set \(\mathcal {S}_{\varkappa }=\big \{ID_{\varkappa ,i}\big \}_{i=1}^{L}\) as follows.

  $$\begin{aligned} C_{\varkappa ,\zeta ,0}=P^{c},~C_{\varkappa ,\zeta ,1}=P^{c(\sum _{ID_{\varkappa ,j}\in \mathcal {S}_{\varkappa }}y^{'}+ID_{\varkappa ,j})},~C_{\varkappa ,\zeta ,2}=M_{\zeta }e(P^{c},\widetilde{P}_{1}^{a})K \end{aligned}$$

  It sets the personalized keys as \(K_{u}^{(\varkappa ,\zeta )}\) \(=\) \(e(P^{c},{\widetilde{P}}_{2}^{ID_{u}})\cdot e(P^{c},\widetilde{P}_{1}^{a})K \) for each user identity \(ID_{u} \in \mathcal {S}_{\varkappa }\). Here, K is extracted from the DBDHE challenge instance. Finally, \(\mathcal {B}\) passes \(\mathcal {A}\) the challenge ciphertext \(\textsf {CT}\) \(=\) \(\big (C_{\varkappa ,\zeta ,0},\) \(C_{\varkappa ,\zeta ,1},\) \(C_{\varkappa ,\zeta ,2}\big )\) corresponding to the message \(M_{\zeta }\) and \(\mathcal {S}_{\varkappa }\).

     Note that \(\textsf {CT}\) is a valid ciphertext corresponding to the challenge message \(M_{\zeta }\) and the challenge set \(\mathcal {S}_{\varkappa }\). Assume that \(s=c\), \(K=e(P,\widetilde{P})^{c\cdot \alpha ^{N+1}}\), then

  $$\begin{aligned} C_{\varkappa ,\zeta ,0}=&P^{c}=P^{s}\\ C_{\varkappa ,\zeta ,1}=&P^{c\big (\sum _{ID_{\varkappa ,j}\in \mathcal {S}_{\varkappa }}\mathcal {J}(ID_{\varkappa ,j})\big )} =P^{c\big (\sum _{ID_{\varkappa ,j}\in \mathcal {S}_{\varkappa }}y^{'}+ID_{\varkappa ,j}\big )}\\ =&\bigg [\prod \limits _{ID_{\varkappa ,j}\in \mathcal {S}_{\varkappa }} P^{\alpha ^{N-j+1}(p-mk_{j}+x_{j})}\cdot P^{y^{'}} \cdot P^{\alpha ^{N-j+1}ID_{\varkappa ,j}} \cdot P^{ID_{\varkappa ,j}}\bigg ]^{c}\\ =&\big (\prod \limits _{ID_{\varkappa ,j}\in \mathcal {S}_{\varkappa }} f_{j}\cdot U_{j}^{ID_{\varkappa ,j}}\big )^{c}=\big (\prod \limits _{ID_{\varkappa ,j}\in \mathcal {S}_{\varkappa }} f_{j}\cdot U_{j}^{ID_{\varkappa ,j}}\big )^{s}\\ C_{\varkappa ,\zeta ,2}=&M_{\zeta }\cdot K\cdot e(P^{c},\widetilde{P}_{1}^{a})=M_{\zeta } e(P,\widetilde{P})^{c\cdot \alpha ^{N+1}} e(P^{c},\widetilde{P}_{1}^{a})=M_{\zeta } e(P,\widetilde{P})^{(\alpha ^{N}+a)c\alpha } \end{aligned}$$

  Since \((\alpha ^{N}+a)c\alpha \) and s are uniformly distributed over \(\mathbb {Z}_{p}^{*}\), \(\textsf {CT}\) is valid and uniformly distributed over the ciphertext space. Similarly, we can show that the personalized keys \(K_{u}^{(\varkappa ,\zeta )}\) are also the valid by the following computations.

  $$\begin{aligned} K_{u}^{(\varkappa ,\zeta )}=&e(P^{c},{\widetilde{P}}_{2}^{ID_{u}})\cdot e(P^{c},\widetilde{P}_{1}^{a})K\\ =&e(P^{\alpha ^{N}+a},{\widetilde{P}}^{ID_{u}})^{c} \cdot e(P,\widetilde{P})^{c\cdot \alpha ^{N+1}} e(P^{c},\widetilde{P}_{1}^{a})\\ =&e(P_{2},{\widetilde{P}}^{ID_{u}})^{c} \cdot e(P,\widetilde{P})^{(\alpha ^{N}+a)c\alpha } \end{aligned}$$

• Phase 2: The adversary \(\mathcal {A}\) can adaptively issue additional user’s secret-key generation queries as in Phase 1 with a restriction that queried identities lie in \(\mathcal {S}_{0} \cap \mathcal {S}_{1}\).

• Guess: Finally, \(\mathcal {A}\) returns a guess \((\zeta ^{'},\varkappa ^{'})\in \{0,1\}\times \{0,1\}\) of \((\zeta ,\varkappa )\) to \(\mathcal {B}\).

Probability analysis

If \((\zeta ^{'},\varkappa ^{'})=(\zeta ,\varkappa )\), \(\mathcal {B}\) outputs 0, indicating that \(K=e(P,\widetilde{P})^{c\cdot \alpha ^{N+1}}\); otherwise, it outputs 1, indicating that K is a random element of \(\mathbb {G}_{T}^{\times }\). The simulation of \(\mathcal {B}\) is perfect when \(K=e(P,\widetilde{P})^{c\cdot \alpha ^{N+1}}\). Therefore, we have

$$\begin{aligned} {\text {Pr}\left[ \mathcal {B}\left( Z,K=e(P,\widetilde{P})^{c\cdot \alpha ^{N+1}}\right) =0\right] =\frac{1}{4}+{\textsf {Adv}}^{{\textsf {IND-CPA}}}_{{\mathcal {A}},\textsf {IB-OAnoBEPM}}(\eta )}, \end{aligned}$$

where \({\textsf {Adv}}^{{\textsf {IND-CPA}}}_{{\mathcal {A}},\textsf {IB-OAnoBEPM}}(\eta )\) is the advantage of \(\mathcal {A}\) in the above game. However, the message is completely hidden from \(\mathcal {A}\) when \(K=X\), a random element from \(\mathbb {G}_{T}^{\times }\). Therefore, we have the probability

$$\begin{aligned} {\text {Pr}\left[ \mathcal {B}\left( Z,K=X\right) =0\right] =\frac{1}{4}} \end{aligned}$$

Hence, the advantage of \(\mathcal {B}\) in breaking the \(\textsf {DBDHE}\) challenge is

$$\begin{aligned} Adv_{\mathcal {B}}^{{\textsf {DBDHE}}}(\eta )= & {} \Big |\text {Pr}\left[ \mathcal {B}\left( Z,K=e(P,\widetilde{P})^{c\cdot \alpha ^{N+1}}\right) =0\right] -\text {Pr}\left[ \mathcal {B}\left( Z,K=X\right) =0\right] \Big |\\= & {} {\left| \frac{1}{4}+{\textsf {Adv}}^{{\textsf {IND-CPA}}}_{{\mathcal {A}},\textsf {IB-OAnoBEPM}}(\eta )-\frac{1}{4}\right| ~={\textsf {Adv}}^{{\textsf {IND-CPA}}}_{{\mathcal {A}},\textsf {IB-OAnoBEPM}}(\eta )} \end{aligned}$$

Therefore, if \(\mathcal {A}\) has non-negligible advantage in correctly guessing \((\zeta ^{'},\varkappa ^{'})\), then \(\mathcal {B}\) predicts \(K=e(P,\widetilde{P})^{c\cdot \alpha ^{N+1}}\) or random element of \(\mathbb {G}_{T}^{\times }\) (i.e., breaks the \(\textsf {DBDHE}\) challenge) with non-negligible advantage.

Hence, the proof.